Overview
overview
7Static
static
32df0351961...18.exe
windows7-x64
72df0351961...18.exe
windows10-2004-x64
7$9:/Docume...pd.exe
windows7-x64
7$9:/Docume...pd.exe
windows10-2004-x64
7$9:/Docume...ser.js
windows7-x64
3$9:/Docume...ser.js
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3$TEMP/sqlite3.exe
windows7-x64
1$TEMP/sqlite3.exe
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 08:30
Static task
static1
Behavioral task
behavioral1
Sample
2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$9:/Documents and Settings/All Users/Application Data/Update/seupd.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$9:/Documents and Settings/All Users/Application Data/Update/seupd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$9:/Documents and Settings/$1/Application Data/Mozilla/Firefox/Profiles/$3/user.js
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$9:/Documents and Settings/$1/Application Data/Mozilla/Firefox/Profiles/$3/user.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$TEMP/sqlite3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$TEMP/sqlite3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
$9:/Documents and Settings/All Users/Application Data/Update/seupd.exe
-
Size
307KB
-
MD5
143daa59ea3c3adc09b8e08be4d796fa
-
SHA1
378adfe3038e7e25a02fdf0db8acc845fd6c0461
-
SHA256
44ffa994a1cb265688af7f7fa4862aac022a9a95b6351032aa98e101159eab86
-
SHA512
f38aef36e7a7a34cc3073ab1f3334c6040b1b4a4604f181e22557d5faa758db36b8d671c3366fb4b1d9810a118f06426708fe0d22764f6084070cde3b506617f
-
SSDEEP
6144:2+npEukM2pH04MC41isbT4YcECSQxL/9n33WzdM6n1yilNLAKy5pLkvK7:sJpH04MC4PXvnS1WzBMiluZovK7
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3464 seupd.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Firefox\searchplugins\google_search.xml seupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language seupd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes seupd.exe Key deleted \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES seupd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\DisplayName = "Google" seupd.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\ShowSearchSuggestions = "1" seupd.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\SortIndex = "0" seupd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\FaviconURL = "http://www.google.com/favicon.ico" seupd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\SuggestionsURL = "http://clients5.google.com/complete/search?q={searchTerms}&client=ie8&mw={ie:maxWidth}&sh={ie:sectionHeight}&rh={ie:rowHeight}&inputencoding={inputEncoding}&outputencoding={outputEncoding}" seupd.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834} seupd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\URL = "http://search.search-star.net/?sid=10101046100&s={searchTerms}" seupd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}" seupd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$9_\Documents and Settings\All Users\Application Data\Update\seupd.exe"C:\Users\Admin\AppData\Local\Temp\$9_\Documents and Settings\All Users\Application Data\Update\seupd.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3464
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=25FA5B7A81296FB900F44E69802F6E90; domain=.bing.com; expires=Mon, 03-Nov-2025 20:36:16 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C9D9A0EB7390458EB0202CF9796D3A27 Ref B: LON601060107023 Ref C: 2024-10-09T20:36:16Z
date: Wed, 09 Oct 2024 20:36:16 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=25FA5B7A81296FB900F44E69802F6E90
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=GcwYgdMJrTBOfmDKDuC7IGbqlQSFZ949c38qIwA0_C0; domain=.bing.com; expires=Mon, 03-Nov-2025 20:36:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BEA21C7FE7A14BADB112FB58BFC80445 Ref B: LON601060107023 Ref C: 2024-10-09T20:36:16Z
date: Wed, 09 Oct 2024 20:36:16 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=25FA5B7A81296FB900F44E69802F6E90; MSPTC=GcwYgdMJrTBOfmDKDuC7IGbqlQSFZ949c38qIwA0_C0
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BEF6BD1CADA04CCD9E38FDF528529EDE Ref B: LON601060107023 Ref C: 2024-10-09T20:36:17Z
date: Wed, 09 Oct 2024 20:36:16 GMT
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.190.18.2.in-addr.arpaIN PTRResponse134.190.18.2.in-addr.arpaIN PTRa2-18-190-134deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=tls, http22.0kB 9.4kB 21 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5458f46a80094569b89a90fabb008749&localId=w:45F2691B-218C-F38E-DD34-9B67AA44BEAA&deviceId=6825841072482335&anid=HTTP Response
204
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
134.190.18.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD524a7a119e289f1b5b69f3d6cf258db7c
SHA1fec84298f9819adf155fcf4e9e57dd402636c177
SHA256ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861